Additional Questions Concerning Use of the EINSTEIN 2.0 Intrusion-Detection System The deployment of an intrusion-detection system known as the EINSTEIN 2.0 program on the unclassified computer networks of the Executive Branch is consistent with the federal and state laws discussed in this opinion. Under the best reading of the statute, the EINSTEIN 2.0 program would not violate section 705 of the Communications Act, because it would fall within section 705’s exception permitting a person to “divulge” a communication through “authorized channels of transmission or reception,” which allows either the sender or the recipient of an Internet communication to convey the required authorization by consenting to a communication’s disclosure, including by clicking through an approved log-on banner or signing the computer-user agreement in order to gain access to a government-owned information system. If section 2702(a)(3) of the Stored Communications Act applied to the EINSTEIN 2.0 program, the exception in section 2702(c)(1)(C) permitting disclosure based on “the lawful consent of the customer or subscriber” would also apply, because in this context the government, and no other party, should be understood as the “customer or sub- scriber” of the Internet service provider. If a state law imposed requirements on the EINSTEIN 2.0 program exceeding those imposed by these federal statutes, it would stand as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress and therefore be unen- forceable under the Supremacy Clause of the Constitution.
August 14, 2009
MEMORANDUM OPINION FOR THE ASSOCIATE DEPUTY ATTORNEY GENERAL
You have asked us to address whether the deployment of an intru- sion-detection system known as the “EINSTEIN 2.0” program on the unclassified computer networks of the Executive Branch is consistent with (1) section 705(a) of the Communications Act of 1934, as amended, 47 U.S.C. § 605(a) (2006); (2) the provision of the Stored Communica- tions Act codified at 18 U.S.C. § 2702(a)(3) (2006); and (3) state laws concerning interception or electronic surveillance. For the reasons given below, we conclude that it is. 1
1 We solicited the views of the Criminal Division and National Security Division on
each of these questions. Both components concur in our conclusions.
269 33 Op. O.L.C. 269 (2009)
I.
You have asked whether by engaging in any of the activities that are part of the EINSTEIN 2.0 program, 2 the Department of Agriculture (“USDA”), the Department of Homeland Security (“DHS”), or the relevant Internet service provider (“ISP”) would violate section 705(a) of the Communications Act of 1934, as amended, 47 U.S.C. § 605(a) (2006). Although this is a novel question, and the statute is hardly a model of clarity, we conclude that under the best reading of the statute, the EINSTEIN 2.0 activities would not violate section 705. In pertinent part, section 705 provides: Except as authorized by chapter 119, title 18 [i.e., the Wiretap Act], no person receiving, assisting in receiving, transmitting, or as- sisting in transmitting, any interstate or foreign communication by wire or radio shall divulge or publish the existence, contents, sub- stance, purport, effect, or meaning thereof, except through author- ized channels of transmission or reception, (1) to any person other than the addressee, his agent, or attor- ney, (2) to a person employed or authorized to forward such com- munication to its destination, (3) to proper accounting or distributing officers of the various communicating centers over which the communication may be passed, (4) to the master of a ship under whom he is serving, (5) in response to a subpena issued by a court of competent ju- risdiction, or (6) on demand of other lawful authority. 47 U.S.C. § 605(a). 3 The Communications Act defines “person” in 47 U.S.C. § 153(32) (2006) to “include[] an individual, partnership, associa-
2 These activities are described in detail in a memorandum of this Office. See Use of the EINSTEIN 2.0 Intrusion-Detection System to Protect Unclassified Computer Networks in the Executive Branch, 33 Op. O.L.C. 63 (2009) (“EINSTEIN 2.0 Opinion”). 3 Section 705 contains additional prohibitions, such as on the “intercept[ion] [of] any
radio communication and divulg[ing] or publish[ing]” of its contents, and on the use for personal benefit of radio communications intercepted or received without authorization.
270 Additional Questions Concerning Use of EINSTEIN 2.0 Intrusion-Detection System
tion, joint-stock company, trust, or corporation.” “[C]ommunication by wire” is defined as “the transmission of writing, signs, signals, pictures, and sounds of all kinds by aid of wire, cable, or other like connection between the points of origin and reception of such transmission, including all instrumentalities, facilities, apparatus, and services (among other things, the receipt, forwarding, and delivery of communications) inci- dental to such transmission.” Id. § 153(52). 4 Although the scope of section 705’s prohibition is not entirely clear on its face, case law supports reading the provision as a general bar on a “person receiving, assisting in receiving, transmitting, or assisting in transmitting” wire or radio communications from “divulg[ing]” or “pub- lish[ing]” such communications to persons other than the addressee, his agent or attorney, except “through authorized channels of transmission or reception,” as “authorized by” the Wiretap Act, or in the circumstances enumerated in clauses (2) through (6). In United States v. Finn, 502 F.2d 938, 942 (7th Cir. 1974), for instance, the court identified the “absurdi- ties” that would result from a literal reading of the text, including that “[c]lauses (2) through (6) would be rendered meaningless, for all of those categories are completely covered by the more general clause (1).” Simi- larly, reading clause (6) as a prohibition “would forbid divulgence of a communication ‘on demand of other lawful authority,’” thereby “ren- der[ing] all such demands unlawful and by its own terms [] eliminat[ing] the very category to which it refers.” Instead, the court concluded, clauses (2) through (6) should be read “as exceptions to the general prohibition of clause (1),” a construction the court viewed as “the only way to give effect to the Congressional intent.” Id. Finn is consistent with a line of precedents interpreting the pre-Wiretap Act version of this provision,
Except for the first sentence of section 705 quoted above, these additional provisions extend only to “radio” communications, which are not at issue here. See 47 U.S.C. § 605(a); id. § 153(33) (defining “radio communication” to “mean[] the transmission by radio of writing, signs, signals, pictures, and sounds of all kinds”). 4 This definition of “wire communication” is substantially similar to the definition
of “electronic communication” under the Wiretap Act, 18 U.S.C. § 2510(12) (2006), which includes “any transfer of signs, signals, writing, images, sounds, data, or intelli- gence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce.” Cf. id. § 2510(1) (defining “wire communication” under the Wiretap Act to mean an “aural transfer”).
271 33 Op. O.L.C. 269 (2009)
which contained substantially similar language. For instance, in Nardone v. United States, 302 U.S. 379, 380–81 (1937), the Supreme Court charac- terized the version of section 705 then in effect as providing that “no person who, as an employee, has to do with the sending or receiving of any interstate communication by wire shall divulge or publish it or its substance to anyone other than the addressee or his authorized representa- tive or to authorized fellow employees, save in response to a subpoena issued by a court of competent jurisdiction or on demand of other lawful authority.” 5 See also Hanna v. United States, 404 F.2d 405, 408–09 (5th Cir. 1968) (“[I]nformation thus lawfully obtained may be divulged ‘in response to a subpoena issued by a court of competent jurisdiction, or on demand of other lawful authority.’” (quoting section 705)); Bubis v. United States, 384 F.2d 643, 646–47 (9th Cir. 1967) (“[N]o . . . person shall divulge or publish the existence, contents, substance, purport, or effect of any such communication to anyone other than the addressee or his authorized representative, or to authorized fellow employees, or in response to a subpoena issued by a court of competent jurisdiction, or on
The version of the statute at issue in Nardone provided that: 5
No person receiving or assisting in receiving, or transmitting, or assisting in transmitting, any interstate or foreign communication by wire or radio shall divulge or publish the existence, contents, substance, purport, effect, or meaning thereof, except through authorized channels of transmission or reception, to any person oth- er than the addressee, his agent, or attorney, or to a person employed or authorized to forward such communication to its destination, or to proper accounting or dis- tributing officers of the various communicating centers over which the communica- tion may be passed, or to the master of a ship under whom he is serving, or in re- sponse to a subpena issued by a court of competent jurisdiction, or on demand of other lawful authority; and no person not being authorized by the sender shall inter- cept any communication and divulge or publish the existence, contents, substance, purport, effect, or meaning of such intercepted communication to any person; and no person not being entitled thereto shall receive or assist in receiving any inter- state or foreign communication by wire or radio and use the same or any infor- mation therein contained for his own benefit or for the benefit of another not enti- tled thereto; and no person having received such intercepted communication or having become acquainted with the contents, substance, purport, effect, or meaning of the same or any part therof, knowing that such information was so obtained, shall divulge or publish the existence, contents, substance, purport, effect, or mean- ing of the same or any part thereof, or use the same or any information therein con- tained for his own benefit or for the benefit of another not entitled thereto . . . . Communications Act of 1934, Pub. L. No. 73-416, § 605, 48 Stat. 1064, 1103–04.
272 Additional Questions Concerning Use of EINSTEIN 2.0 Intrusion-Detection System
demand of other lawful authority.”); Brandon v. United States, 382 F.2d 607, 611 (10th Cir. 1967) (similar). Although our research has not uncovered any case law applying sec- tion 705 in the context of cybersecurity activities, we conclude that the EINSTEIN 2.0 program falls within section 705’s authorization to “di- vulge” a communication through an “authorized channel[] of transmission or reception.” We assume for purposes of this analysis—but do not de- cide—that federal-systems Internet traffic would constitute “communica- tion[s] by wire” under section 705, that the EINSTEIN 2.0 program would involve “divulg[ence] or publi[cation]” of the contents of such communi- cations, that DHS or USDA would be a “person receiving, assisting in receiving, transmitting, or assisting in transmitting” such communica- tions, and that the program would not be “authorized by” the Wiretap Act. 6
6 A number of those assumptions may not be necessary, and thus there may be addi- tional bases for concluding that the EINSTEIN 2.0 program would not violate section 705. An argument might be made, for instance, that program activities are “authorized by” the Wiretap Act for purposes of section 705 because they are not affirmatively prohibited by that Act. Compare United States v. Freeman, 524 F.2d 337, 340 & n.5 (7th Cir. 1976) (phrase “[e]xcept as authorized by [the Wiretap Act]” in section 705 “permits” telephone companies to protect their rights or property pursuant to the relevant exception in 18 U.S.C. § 2511(2)(a)(i)), with EINSTEIN 2.0 Opinion, 33 Op. O.L.C. at 103 (concluding that “the better reading” of a related exception in FISA for conduct “authorized by” the Wiretap Act was to refer to affirmative “orders” obtained under that Act, rather than activities that “merely are not prohibited by those statutes”). Although we need not, and do not, resolve this question here, we note that such a reading of section 705 would not only incorporate the Wiretap Act’s consent exception, see 18 U.S.C. § 2511(2)(a)(ii) (2006), but would also appear to import wholesale all of the statutory exceptions found in that Act, cf., e.g., id. § 2511(2)(a)(i) (“rights or property”), essentially collapsing section 705 and the Wiretap Act into a single standard, notwithstanding that section 705(a) retained, by its plain terms, an independent limitation regarding wire communications. It might separately be contended that any disclosure of communications by the service provider to DHS would occur on “demand of other lawful authority,” although here DHS has entered into an agreement with USDA and thus arguably is not “demand[ing]” disclosure of communications. Cf. Brown v. Continental Tel. Co., 670 F.2d 1364, 1365– 66 (4th Cir. 1982) (request for records and telephone bills served on telephone company by Attorney for the Commonwealth was a “demand of . . . lawful authority” under section 705 because the statute’s plain text contemplated the release of protected information “to appropriate authorities in response to a demand less compelling than a subpoena”). And with respect to any conduct of USDA or DHS that is potentially within the scope of section 705, there is some question whether the first sentence of section 705 applies to
273 33 Op. O.L.C. 269 (2009)
We begin with the text of section 705, which expressly permits a “di- vulge[nce] or publi[cation]” of a wire communication made “through authorized channels of transmission or reception.” We believe the plain language of section 705 is fairly interpreted to include the EINSTEIN scanning sensors as a “channel[] of transmission or reception” of Internet communications, particularly where a party to the communication has, as here, expressly authorized such scanning. In reaching this conclusion, we have considered the potential ambiguities concerning both what consti- tutes a “channel of transmission or reception” and what constitutes a channel that has been “authorized” for purposes of section 705. As to the first issue, we are aware of a narrower construction of the phrase “channel[] of transmission or reception” that would be limited to the channel through which the communication actually passes from recip- ient to sender. Under such a reading, section 705 would prohibit, inter alia, forwarding of a mirror copy of federal systems Internet traffic to EINSTEIN 2.0 sensors for processing, see EINSTEIN 2.0 Opinion, 33 Op. O.L.C. at 67–68, or DHS’s disclosure to another federal agency if that disclosure did not involve transmitting the communication to its recipient, unless one of the other express exceptions in the statute applied. But the text of the section does not by terms compel that narrower reading, given the placement of the relevant phrase. That phrase is located where it could be read to qualify the prohibition against divulgence to third parties, and thus to indicate that the channels being referenced are those that might be used to reach third parties. Indeed, the phrase itself, in its second appear- ance in the section, is not limited to channels of transmission by “wire,”
government employees. Compare United States v. Hall, 488 F.2d 193, 195 (9th Cir. 1973) (superseded on other grounds) (“The legislative history [] explicitly shows that Congress intended to exclude law enforcement officers from the purview of the new [section 705]”); S. Rep. No. 90-1097, at 108 (1968) (“[The first sentence of section 705] is designed to regulate the conduct of communications personnel.”); and Int’l Cablevision, Inc. v. Sykes, 75 F.3d 123, 131 n.4 (2d Cir. 1996) (similar), with Nardone, 302 U.S. at 381 (“Taken at face value the phrase ‘no person’ [in the pre-Wiretap Act version of section 705] comprehends federal agents[.]”); and United States v. Sugden, 226 F.2d 281 (9th Cir. 1955) (interpreting pre-Wiretap Act version of section 705 to permit FCC agents to “listen [to radio communications] for the purpose of enforcing the [Communications] [A]ct” but to require exclusion of evidence, in a criminal prosecution unrelated to violations of that Act, obtained by FCC agents who intercepted defendant’s short range radio transmis- sions). We need not, and do not, resolve these issues in light of our conclusion that the exercise falls within section 705’s “authorized channels of transmission” provision.
274 Additional Questions Concerning Use of EINSTEIN 2.0 Intrusion-Detection System
suggesting a potentially broad conception of the means by which commu- nications may be passed along. Furthermore, the text is not clear that the channel in question must be the one through which the original communi- cation travels, as the text specifically refers to the divulgence, not of the communication itself, but of its substance or meaning. Insofar as the phrase “channels of transmission or reception” qualifies the divulgence, as its placement indicates, it is clearly intended to refer to channels other than those through which the communication flows. As to whether the channel would be “authorized” for purposes of sec- tion 705, the dictionary defines “authorized” as “having authority[;] . . . recognized as having authority[;] . . . approved,” and defines “authori- ty” as, inter alia, “justifying grounds: basis, warrant.” Webster’s Third New International Dictionary 146 (3d ed. 1993). The statute does not specify the source or nature of the “authoriz[ation]” required. As a matter of ordinary meaning, the term “authorized” is certainly broad enough to encompass either the sender or receiver of a communication expressly authorizing—by means of indicating consent to—divulgence or publication. This reading is also supported by the terms of section 705’s second sentence, which states that “[n]o person not being author- ized by the sender shall intercept any radio communication and divulge or publish” that communication. 47 U.S.C. § 605(a) (emphasis added). That Congress chose the unqualified term “authorized” in the first sentence, while expressly limiting which party could authorize disclo- sure in the second, suggests an intent that the term be given a broader reading in the former instance. 7 We therefore would interpret the phrase “authorized channels of transmission or reception” to permit either the sender or the recipient of an Internet communication to convey the required authorization by consenting to a communication’s disclosure in the context of the EINSTEIN 2.0 system. Although we are not aware of any judicial precedent directly on point, we draw support for this reading of the statute from case law analyzing
7 Our reading of “authorized” arguably also draws support from, and is entirely con-
sistent with, the use of the word “authorizing” in the text of section 705(b), which con- templates a “marketing system” for satellite communications in which “agents have been lawfully designated for the purpose of authorizing private viewing by individuals” and “individuals receiving [satellite] programming ha[ve] obtained authorization for private viewing under that [marketing] system.” 47 U.S.C. § 605(b).
275 33 Op. O.L.C. 269 (2009)
consent by either the sender or receiver of a communication in determin- ing whether interception or divulgence of a telephone call violated certain related provisions in section 705. In Rathbun v. United States, 355 U.S. 107 (1957), for instance, the Supreme Court held that the second clause of the version of section 705 then in effect (which provided that “no person not being authorized by the sender shall intercept any communication and divulge or publish the existence, contents, substance, purport, effect, or meaning of such intercepted communication to any person,” see supra note 5) was not violated where the recipient of a phone call asked the police to listen to the call on an extension telephone in his home. The Court concluded, notwithstanding the statute’s specific reference to the “authoriz[ation] [of] the sender,” that “there ha[d] been no ‘interception’ as Congress intended that the word be used.” 355 U.S. at 109. The Court looked to another related provision of section 705, which then prohibited any person from “receiv[ing] or assist[ing] in receiving any interstate or foreign communication by wire or radio and us[ing] the same or any information therein contained for his own benefit.” That provision, the Court explained, gave “[t]he clear inference . . . that one entitled to re- ceive the communication may use it for his own benefit or have another use it for him.” Id. at 110. In dictum the Court further observed that even the defendant in that case conceded that under section 705 “either party may record the [telephone] conversation and publish it.” Id. Similarly, in Weiss v. United States, 308 U.S. 321 (1939), the Court held evidence to be inadmissible in a criminal trial where federal agents had violated the same provision of section 705 as in Rathbun (the prohibi- tion against any person “not being authorized by the sender” intercepting and divulging communications) by tapping the defendant’s intrastate phone calls. In rejecting the government’s argument that the defendant’s trial testimony about the intercepted conversations constituted consent, the Court relied on the fact that “divulgence was not consented to by either of the parties to any of the telephone conversations.” Id. at 330 (emphasis added). More recently, in United States v. Hodge, 539 F.2d 898 (6th Cir. 1976), the court rejected a defendant’s claim that agents of the Drug Enforcement Agency had violated section 705 by recording tele- phone conversations between the defendant and a government informant. (The informant in the case had consented to the DEA monitoring.) The court quoted section 705 in full before tersely dismissing the defendant’s claim, explaining that “[i]t is well settled that there is no violation of the
276 Additional Questions Concerning Use of EINSTEIN 2.0 Intrusion-Detection System
[Communications] Act if the interception was, as here, authorized by a party to the conversation.” Id. at 905. 8 Although these cases do not interpret the phrase in section 705 upon which we rely here, they provide at least indirect support for reading the word “authorized,” which appears without qualification as to the scope of the persons encompassed by it, to permit the recipient of a communication (either a federal agency, in the case of communications directly to that agency, or individual federal employees, in the case of communications to those employees) to consent to and thereby authorize the communica- tion’s disclosure in the context of the EINSTEIN 2.0 program. 9 At a minimum, our reading of the unqualified word “authorized” is consistent with what appears to have been the prior understanding that the statute was not, absent an express limitation regarding the scope of any consent exception, intended to require two-party consent for any such exception to apply. As we explain below, we believe that under our reading of section 705, the manifestations of consent by USDA in conjunction with those of
8 A modern line of cases brought by plaintiff corporations to prevent the unauthorized reception or transmission of satellite television signals has focused on the consent of the sending party in determining whether a “divulg[ence]” was “authorized.” See, e.g., National Satellite Sports, Inc. v. Eliadis, Inc., 253 F.3d 900, 916 –17 (6th Cir. 2001) (holding that private cable company had violated section 705 by selling the broadcast transmission of a boxing match to a commercial customer, when the company was only authorized by the program’s originator to distribute it to residential customers). We do not read these cases as negating the relevance of the precedents discussed above, which contemplate consent by either party to communications such as telephone calls. For one thing, the modern case law does not purport to overrule or limit the precedents discussed above. More significantly, in this line of cases there is no contention that the recipient of a licensed commercial broadcast—who often acts pursuant to a contractual agreement with the originator—is “authorized” to distribute the material beyond the terms of that agree- ment. 9 In light of this case law, we do not believe the existence of an express consent excep- tion in the Wiretap Act requires a contrary interpretation of “authorized channel[] of transmission or reception” in section 705. When Congress reenacted the language of section 705 in the 1968 Wiretap Act, it did so against the settled background of case law interpreting the pre-Wiretap Act statute to allow consensual interception. By reenacting statutory text that was in large part identical to the preexisting language, and by indicating no disapproval of settled case law, Congress can be understood to have left in place the established meaning of the text it employed rather than to have impliedly precluded recognition of a consent exception.
277 33 Op. O.L.C. 269 (2009)
individual federal employees using government information systems are sufficient to avoid a violation of that provision by the ISP, DHS, or USDA, in conjunction with the authorized operation of the EINSTEIN 2.0 system. First, with respect to potential violations by the service provider, we believe any “divulge[nce]” of communications would occur through an “authorized channel[] of transmission or reception.” As to any disclo- sure by the provider of communications between third parties and USDA, the agency has “authorized” the service provider to disclose such commu- nications to DHS by virtue of the Memorandum of Agreement between USDA and DHS, which memorializes USDA’s consent to the scanning of its Internet traffic for cybersecurity purposes. As to disclosure by the service provider of communications addressed to or sent by individual employees, we have previously concluded that a federal employee’s valid, voluntary consent to the scanning of Internet traffic is apparent from his clicking through an approved log-on banner or signing the computer-user agreement in order to gain access to a government-owned information system, see EINSTEIN 2.0 Opinion, 33 Op. O.L.C. at 98, and we believe this consent would foreclose any claim that the service provider would violate section 705 by transmitting communications through the intrusion- detection sensors operated by DHS because it would authorize any result- ing divulgence. We similarly conclude that the same consents—by USDA and USDA employees—“authorize” DHS to “divulge” the communications to any other authorized agency without running afoul of the prohibition in sec- tion 705. As to communications involving the agency itself, USDA has expressly consented to any such disclosures by DHS through the Memo- randum of Agreement and other documents detailing the operation of the EINSTEIN 2.0 program. As to communications involving individual employees, the model log-on banner and computer-user agreement dis- cussed in our EINSTEIN 2.0 Opinion state expressly that “[a]ny commu- nications or data transiting or stored on this information system may be disclosed or used for any lawful government purpose.” 33 Op. O.L.C. at 70. The scope of the employee’s consent to disclosure for any “lawful government purpose” is informed by our separate conclusion in the con- text of 18 U.S.C. § 2511 that DHS is “authorized by law” to conduct an exercise involving EINSTEIN technology, as described in the implemen- tation plan governing that exercise, by virtue of several affirmative statu- tory authorities, particularly a recent appropriations statute providing
278 Additional Questions Concerning Use of EINSTEIN 2.0 Intrusion-Detection System
funding for the precise exercise in question, as well as DHS’s organic statute and the Federal Information Security Management Act. Finally, we believe the log-on banner and computer-user agreements discussed above would also be sufficient to foreclose any claim that USDA would violate section 705 by divulging to DHS, through its partic- ipation in EINSTEIN 2.0, the contents of communications addressed to its employees. This reading of section 705 is consistent with the conclusion in our EINSTEIN 2.0 Opinion that the EINSTEIN 2.0 program would not violate parallel non-disclosure provisions contained in the Wiretap Act. Section 2511(3) of title 18, U.S. Code, provides that “a person or entity providing an electronic communication service to the public shall not intentionally divulge the contents of any communication . . . while in transmission on that service to any person or entity other than an addressee or intended recipient of such communication or an agent of such addressee or intend- ed recipient,” except “with the lawful consent of the originator or any addressee or intended recipient of such communication,” or “to a person employed or authorized, or whose facilities are used, to forward such communication to its destination.” Our EINSTEIN 2.0 Opinion conclud- ed that EINSTEIN 2.0 would not unlawfully “divulge” the contents of Internet communications within the meaning of section 2511(3), both because the participating agency and its employees would have manifest- ed consent to the scanning, and “because the federal government is ‘au- thorized,’ and its ‘facilities are used, to forward such communications to [their] destination.’” 33 Op. O.L.C. at 96. With respect to individual federal employees, we further noted that Internet communications cannot reach employees at work without routing through the government’s com- puter systems. Id. Thus, even if section 705 is not read by terms to incor- porate this exception, we find it significant that the exception we conclude section 705 adopts is hardly a novel one in this area. We are also not aware of any legislative history that indicates a congressional intention to preclude recognition of such an exception here.
II.
We believe the EINSTEIN 2.0 system would also comply with the pro- vision of the Stored Communications Act (“SCA”), codified at 18 U.S.C. § 2702(a)(3), that provides that “a provider of remote computing service
279 33 Op. O.L.C. 269 (2009)
or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by [section 2702(a)(1) or (a)(2)]) to any governmental entity.” Insofar as the EINSTEIN 2.0 system examines, in real time, Internet traffic-flow data that is not retained by the ISP, there may be grounds to assert that this provision is simply inapplicable, because the data in ques- tion is not a “record or other information” within the possession of the ISP. Even assuming, however, that section 2702(a)(3) by its terms may apply to EINSTEIN 2.0, we believe that the statutory exception permitting disclosure based on “the lawful consent of the customer or subscriber” would apply. 18 U.S.C. § 2702(c)(1)(C) (2006). That is because we be- lieve that in this context the government, and no other party, should be understood as the “customer or subscriber” of the ISP for purposes of this exception. On this view, even assuming that non-content informa- tion obtained from or with the assistance of the ISP regarding Internet traffic that passed onto or off of the government’s system would qualify as “record[s] or other information” under the SCA, these “record[s] or other information” would “pertain[] to” the government as a “subscriber to or customer of [the ISP’s] service,” and the government could there- fore provide “lawful consent” to divulge this information. 18 U.S.C. § 2702(c)(2). This construction of the statute fits naturally with the plain text: insofar as a government agency has contracted with an ISP for Internet service, the government is indisputably a “customer” (if not also a subscriber) of the ISP. In accordance with this view, the Ninth Circuit has characterized a municipality as a “subscriber” of a text-messaging service where the municipality contracted with the service to provide two-way text pagers to police officers and other municipal employees. See Quon v. Arch Wireless Operating Co., 529 F.3d 892, 895, 903 (9th Cir. 2008). Insofar as end users such as individual employees hold a protected pri- vacy interest in non-content information, the employer’s consent to dis- closure might violate some legal obligation of the employer, but it would not create liability for the ISP under the SCA, since the ISP had obtained the necessary consent of its “customer or subscriber.” In any event, in our case, the individual employees have also consented to the disclosure, so disclosure should not violate any SCA-protected interest of theirs (even if they are also somehow “customers or subscribers” of the ISP). Nor
280 Additional Questions Concerning Use of EINSTEIN 2.0 Intrusion-Detection System
does there appear to be any Fourth Amendment issue with the disclosure. Not only have the employees here consented to the disclosure, but courts have generally concluded that there is no reasonable expectation of privacy in non-content information provided to an ISP. See, e.g., United States v. Perrine, 518 F.3d 1196, 1204–05 (10th Cir. 2008) (collecting cases); Freedman v. America Online, Inc., 412 F. Supp. 2d 174, 181–82 (D. Conn. 2005). We recognize the concern that non-content information pertaining to one customer or subscriber (such as the government in our case) could include information pertaining to other customers or subscribers of the ISP insofar as those other parties have sent or received traffic from the first customers/subscriber’s computers. But we do not believe the SCA should be read to require separate consent from both customers/sub- scribers in that circumstance. Such records or information “pertain” to the customer/subscriber providing consent, even if they reveal information about other customers/subscribers too, so under the plain text of the statute one-party consent seems sufficient for disclosure. Indeed, any other interpretation would yield the odd result that a customer’s ability to consent to disclosure of its information would depend on whether other parties it telephoned or emailed happened to be customers of the same provider. Also, unlike content information, which relates to discrete messages each with a particular sender and particular recipients, the “record or other information” covered by section 2702(a)(3) often in- volves an aggregation of data—the total record of a customer/subscriber’s Internet traffic or phone calls, for example—that is unique to the individ- ual customer/subscriber and for which (as a result) no other party could provide meaningful consent. Information regarding other custom- ers/subscribers who have not provided consent could of course be dis- closed under this analysis only to the extent that such information is contained in a “record or other information” pertaining to the customer or subscriber who has provided lawful consent (here, the government). Furthermore, the SCA’s consent exception for content information ex- pressly allows one-party consent—either the “originator” or the “address- ee” or “intended recipient” of the communication may authorize disclo- sure of its contents, 18 U.S.C. § 2702(b)(3)—and it would be anomalous if the provisions on non-content information, which are generally less restrictive, imposed a more stringent consent requirement than those for content information. Cf. In re American Airlines, Inc. Privacy Litig., 370
281 33 Op. O.L.C. 269 (2009)
F. Supp. 2d 552, 561 (N.D. Tex. 2005) (construing statute to allow any intended recipient of a communication to authorize disclosure of content information). Congress appears to have adopted the current SCA provi- sions on non-content information in part to bring those provisions more in line with provisions on content information. Before 2001, the SCA pro- vided only that a provider could disclose “a record or other information pertaining to a subscriber to or customer of [the provider’s] service (not including [content information]) to any person other than a governmental entity” and that the provider generally could disclose such records or information to a governmental entity “only when the governmental entity . . . ha[d] the consent of the subscriber or customer to such disclosure” or satisfied one of several other enumerated exceptions. See 18 U.S.C. § 2703(c) (2000); Pub. L. No. 99-508, § 201, 100 Stat. 1848, 1860 (1986). Congress amended the statute to provide that, even without an affirmative government request, the provider may disclose records and information covered by section 2702(a)(3) “with the lawful consent of the customer or subscriber” or in certain other specified circumstances. See 18 U.S.C. § 2702(c)(2) (Supp. I 2001); Pub. L. No. 107-56, § 212(a)(1)(E), 115 Stat. 272, 284 (2001). As explained in the legislative history, Congress intended this change “to allow communications providers to disclose non- content information (such as the subscriber’s login records).” H.R. Rep. No. 107-236, pt. 1, at 58 (2001). Under pre-2001 law, the House Judiciary Committee explained, “the communications provider [was] expressly permitted to disclose content information but not expressly permitted to provide non-content information. This change would cure this problem and would permit the disclosure of the less-protected information, parallel to the disclosure of the more protected information.” Id.; see also 147 Cong. Rec. 19,001, 19,009 (statement of Sen. Leahy) (discussing 2001 amendments and observing that “the right to disclose the content of com- munications necessarily implies the less intrusive ability to disclose non- content records”). In addition, although we are aware of little relevant legislative history bearing directly on the meaning of “consent” in section 2702(a)(3), the legislative history of the SCA as originally enacted sug- gests that Congress understood background legal principles to allow one- party consent, which arguably supports construing consent provisions of the statute in accordance with that understanding. See S. Rep. No. 99-541, at 3 (1986) (observing that “because [information on remote computer systems] is subject to control by a third party computer operator, the
282 Additional Questions Concerning Use of EINSTEIN 2.0 Intrusion-Detection System
information may be subject to no constitutional privacy protection” (citing United States v. Miller, 425 U.S. 435 (1976))).
III.
Finally, we do not believe the EINSTEIN 2.0 program impermissibly infringes state wiretapping and communication privacy laws. See, e.g., Fla. Stat. Ann. § 934.03(3)(d) (West 2009); 18 Pa. Cons. Stat. Ann. § 5704(4) (West Supp. 2009); Md. Code Ann., Cts. & Jud. Proc. § 10- 402(c)(3) (Lexis Nexis 2009); Cal. Penal Code § 631(a) (West 1999). To the extent that such laws purported to apply to the conduct of federal agencies and agents conducting authorized EINSTEIN 2.0 operations and imposed requirements that exceeded those imposed by the federal statutes discussed above and in our EINSTEIN 2.0 Opinion, they would “stand[] as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress,” and be unenforceable under the Supremacy Clause. Hines v. Davidowitz, 312 U.S. 52, 67 (1941); see also Geier v. Am. Honda Motor Co., 529 U.S. 861, 873 (2000); Old Dominion Branch v. Austin, 418 U.S. 264 (1974); Bansal v. Russ, 513 F. Supp. 2d 264, 283 (E.D. Pa. 2007) (concluding that “federal officers participating in a feder- al investigation are not required to follow” state wiretapping law contain- ing additional requirements not present in the federal Wiretap Act, be- cause in such circumstances, “the state law would stand as an obstacle to federal law enforcement”); Johnson v. Maryland, 254 U.S. 51 (1920); cf. United States v. Adams, 694 F.2d 200, 201 (9th Cir. 1982) (“evidence obtained from a consensual wiretap conforming to 18 U.S.C. § 2511(2)(c) is admissible in federal court proceedings without regard to state law”).
DAVID J. BARRON Acting Assistant Attorney General Office of Legal Counsel